Mobile apps cited in Deloitte trophy breach

Security analysts criticized Deloitte Touche Tohmatsu Ltd. this week for failing to discover a security breach that reportedly occurred in 2016 and remained undetected until recently. The Guardian reported Sept. 25, 2017, that the breach may have compromised the firm's client email addresses. The incident is considered a trophy win for hackers and particularly embarrassing for Deloitte, a Big Four accounting firm and global cybersecurity consultancy.

Believing multiple access points, including mobile apps, may have enabled hackers to gain access to Deloitte's network, analysts warned companies that process and store consumer data to use advanced security methods to restrict remote worker access to sensitive customer data.

"One thing worth mentioning is that cyber attackers have migrated to mobile applications," said Michael Magrath, Director, Global Regulations & Standards at Vasco Data Security Inc. "Although convenient, mobile apps are typically developed with tight release cycles with user experience being most important and security not being the highest priority."

Ray DeMeo, founder and Chief Operations Officer at Virsec Systems Inc., said most breaches don't target well-protected resources directly; they typically exploit ancillary applications and remote entry points. "Hackers always look for the weakest link: web server vulnerabilities, stolen credentials or malicious insiders to gain a foothold," he stated. "Once inside, it's far too easy for hackers to pivot between apps, escalate privileges and access valuable data. And in far too many cases, sensitive data is copied outside of protected systems and accessible to a wide range of insiders and applications; this is where most of the damage occurs."

Monitor mobile apps

Magrath recommended using application shielding or Runtime Application Self-Protection (RASP) technology to proactively manage the threat of sophisticated malware by effectively detecting and preventing fraudulent app activities before they can start. "As noted in the PwC and BAE Systems report, APT10 utilizes malware as part of its espionage activity," he added. "Hardening network access while failing to lockdown mobile apps will leave organizations exposed and may leave CDE [cardholder data environments] unprotected."

DeMeo advised merchants and acquirers to keep online and business applications up to date and implement enhanced security measures ‒ that go beyond Payment Card Industry Data Security Standard (PCI DSS) requirements ‒ to protect all consumer information. "Any customer data should be encrypted whenever possible," he said. "Many businesses fall months behind on patching, needlessly exposing more data."

Strengthen privacy laws

Magrath emphasized the need for a risk-based, multilayered approach to security. "Identity management and access control are high on the list to protect CDE," he noted. "The PCI DSS provides a good baseline for security requirements as does the NIST CSF. Given the numerous cyberattacks on industries like banking, payment processors, credit reporting agencies and healthcare, I would argue that these industries are high risk."

DeMeo expects the recent rash of cybersecurity breaches to lead to broader privacy measures. "The PCI DSS is very specific about protecting credit card numbers, but not intended to provide broader privacy protection for consumers," he said. "As we experienced with Equifax, enormous amounts of sensitive personal data can be breached that doesn't necessarily contain credit card numbers. If we're serious about broader privacy protection, we need to consider privacy laws as broad reaching as the European GDPR. It's unlikely that this will be done at the federal level, but increasingly, states are likely to start strengthening privacy laws."

Editorial Note:

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.